Dear Developers,
I was wondering if the new Open Ondemand 4.1.x is NIST 800-171 compliant? And if it’s not, are you planning on making the product compliant in the near future?
Thank you for your time,
–David
David:
In the subject you mention NIST 800-171 (more commonly called ‘CUI’ or ‘CMMC’), but in the message you mentioned NIST 140 (more commonly called ‘FIPS’). Which are you specifically looking for?
My limited understanding of these is that it isn’t really appropriate for Open OnDemand itself to be ‘certified compliant’ for either. I could be mistaken on this, but CMMC/CUI certification is generally associated with an organization / institution and their specific deployments/configurations of services. FIPS is similar, but generally involved cryptographic aspects of services.
Are you aware of other open source software products documenting ‘compliance’ with these standards that could serve as a guideline for us?
Hi,
I’m sorry about that. I’ve edited the message and corrected my mistake. I will get back to you on an example that we have in house. Thanks for the quick reply.
–David
Hi Alan,
So I realize that OOD has a lot of moving parts and making it compliant as a whole would be challenging. Do you know of any institutions that have “made” Open Ondemand NIST 800-171 complaint by using 3rd party tools or other techniques?
–David
David - I’m still a bit confused by your question.
We are going through a general process here at OSC of being able to support clients with research needs that have CUI compliance requirements. This generally involves us as an organization getting an CMMC audit / certification.
We also have a LOT of experience already supporting clients with Export Control (i.e. EAR / ITAR) or PHI (i.e. HIPAA) compliance needs.
In none of those discussions / regulatory frameworks have we ever asked for any type of certification of compliance with said standards from the various software products we utilize (i.e. we don’t ask for it with RedHat, or Slurm, etc. etc.). All of the compliance / certification is around our specific implementations / processes / procedures with the various hardware and software we manage.
As such, I’m trying to understand what exactly Open OnDemand NIST 800-171 compliance would even mean from a documentation standpoint, let alone a technical standpoint.
Could you clarify a bit more what ‘success’ would look like to you in terms of your question about compliance? And likewise can you point to any other example software products that meet a similar ask (i.e. is Slurm or Redhat or something else NIST 800-171 compliant)?